<![CDATA[ MODx Evo 1.0.4 (and prior) SQL Injection and Directory Traversal Vulnerabities

<![CDATA[ MODx Evo 1.0.4 (and prior) SQL Injection and Directory Traversal Vulnerabities - My Forums]]> https://forums.modx.com/thread/?thread=268 <![CDATA[MODx Evo 1.0.4 (and prior) SQL Injection and Directory Traversal Vulnerabities]]> https://forums.modx.com/thread/268/modx-evo-1-0-4-and-prior-sql-injection-and-directory-traversal-vulnerabities#dis-post-1674 Status: Solved
Product: MODx Evolution
Severity: High
Versions: 1.0.4 and prior
Advisory Date: 2011-01-26
Fixed Date: 2011-01-19
Impact:
a) A remote attacker may access or view arbitrary files on the server.
b) A remote attacker may execute arbitrary PHP code as a result of SQL injection.

Description
JPCERT/CC has issued the following advisories:
a) http://jvn.jp/en/jp/JVN95385972/index.html
b) http://jvn.jp/en/jp/JVN54092716/index.html

Solution
Upgrade to MODx Revolution 1.0.5 available here: http://modxcms.com/download.html#ga
Read the Release Announcement for Evolution 1.0.5.
]]> netProphET Jan 28, 2011, 02:13 PM https://forums.modx.com/thread/268/modx-evo-1-0-4-and-prior-sql-injection-and-directory-traversal-vulnerabities#dis-post-1674